Careful with that electronic health record, Mr. Leavitt

18 Oct Careful with that electronic health record, Mr. Leavitt

I have been closely following the progress of the Health Insurance Portability and Accountability Act (HIPAA) and electronic health records for the last eight months. You can understand that since I am a practicing dentist with a small healthcare business, I have my own special interest at stake. I am what they call a “stakeholder” in this exciting and promising, yet very difficult and dangerous mandate.
More important than my job, I am a husband and father. I value patient privacy for myself and my family, as well as for my patients. Privacy is not only a hallmark of ethics in healthcare, it is justifiably our constitutional right.
Healthcare providers with small practices are put in a difficult position. Almost all dentists are ethical businessmen who honestly want the best for their patients for a fair price. It is just good business to treat people fairly in this very competitive field. However, dentists themselves do not know where to turn for information about what is expected of them concerning HIPAA and EHRs, even while the technology rumbles recklessly forward, gaining ever increasing momentum.
Patient privacy is not a priority in the Bush Administration’s push for healthcare IT because its engineers are confident that the efficiency of technology will magically smooth over all the rough spots in security. We have learned to expect such miracles from computers.
I will let you in on a business secret that virtually all dentists know, yet nobody wishes to address: Very few dentists encrypt patient data. I would also guess that more than one dentist in the nation uses the word “password” for the password. (Did a dentist in my audience just blush?) In short, I do not believe that the threat of identity theft worries many dentists… yet.
Not so rosy scenario
Please allow me to outline a scenario which may cause some of my colleagues to reconsider complete and unsegmented, or seamless, computerization. Let us pretend that there is a fairly large practice with four dentists and 12 employees. Everyone has access to patient records because the practice is completely paperless. Let us also assume that this practice is so security conscious that it is office policy to regularly delete old records from its data base (a precaution which I doubt is very common), so that the computer system only stores 12,000 patient records at any one time.
The records, which include Social Security numbers and insurance ID numbers as well as complete medical histories, are accessed hundreds of times a day by almost everyone in the office. Just to make it interesting, let us also assume that this practice not only uses secure passwords, but the data is iron-clad encrypted. And then, just to make it even more exciting, let us assume that the computers are equipped with a yet-to-be-invented security system which causes the information to self destruct if a computer is removed from the premises in a burglary. In summary, the practice is unusually conscientious, and over $100,000 was spent for the electronic health record system, including computers and software – a bargain for a practice this size.
Undeniably, there is a growing black market for proofs of identity. As more and more data becomes available in the form of health records, the thieves who will be attracted to the treasure will also become very sophisticated. The profit margin and lack of risk will naturally attract organized crime. The value of Social Security numbers to identity thieves is well known. Less publicized, so far, is the fact that medical and dental insurance identification can be worth thousands of dollars to an identity thief before thefts of service are noticed months later, if at all.
Healthcare is expensive. Heart surgery easily can cost over $50,000. If someone needs an operation, or even dental work, very few facilities check identities. Do you dentists check a patient’s driver’s license against his or her insurance ID? Could you recognize a phony license, even if you had the courage to insult the person by asking to see it before starting a couple of crowns?
Here is a tangent: If you are duped into doing dentistry for an identity thief, will you later have to reimburse the insurer when the theft is discovered? As more and more electronic health records are stolen, will insurers demand that dentists be responsible for checking patients’ IDs? My guess is, yes. The risk will be ours, not the insurer’s.
Let us return to the digitally secure dental office where an employee, pressured by financial difficulties, becomes an accomplice to a perfect crime. The employee asks a friend of a friend (who knows a buyer) for $5 for each stolen electronic health record, but is haggled down to 50 cents. The employee tries to get all of the records, but is only able to download half of them in the 10 minutes that is available. The computers were slow that day.
The employee pulls the heist with a couple of USB flashdrives, and gets paid $3,000 without risk of going to jail. The breach will eventually be discovered because the fraud investigator will tie the ID thefts to the dental office. Angry former patients will be interviewed on the evening news. In the end, it will be assumed that a very talented “hacker” must have had his way with the computer because there is no trail. Nobody specifically will be blamed, but nevertheless the incident will bankrupt the “multi-million-dollar” dental practice for $3,000, or for even $200, or, if it is a disgruntled employee, for grins.
Record contamination
That is not a very pleasant tale. But here is another tangent which is even more unpleasant. Remember all of those electronic health records? There is a person who wants implants and crowns. The EHR and insurance coverage that the patient bought for $200 said that the previous owner was diabetic. No problem. The record is digital. Diagnoses and treatments can be changed along with medication allergies.
Do you see where this leads? If an unconscious person is admitted to an emergency room, contaminated electronic medical records could quickly kill the patient, and nobody would know why.
A very dangerous national electronic health record system is being carelessly rushed to market for short-term monetary gain by the insurance industry, its most powerful “stakeholder.” The hope that a carefully planned and executed health IT system offers Americans is critical for its acceptance because it will be difficult and expensive. We cannot allow politicians to destroy precious public support for this jewel based on short-term electoral gain.
Here is the crime that will bring it down: You and I, as consumers, do not yet have the right to avoid the risk I described. Americans cannot yet opt out of danger. You cannot yet protect your family. This blunder promises to entertain us with a slow, grinding train wreck which will cost taxpayers and patients more than the abandoned supercollider. Regardless of Health and Human Services Secretary Michael Leavitt’s rookie optimism, a premature EHR system will cost Americans even more trust in their elected officials, and it will kill more patients than it will save.
Please, Mr. Leavitt, slow down. Let us all have a chance at a workable plan to enjoy a safer future.
Related stories
• Tommy Thompson says capital needed for electronic health records
• CEO of healthcare group still hopeful IT will save employers money
• Kalla: Have patience with electronic health records
• Doyle asks health professionals to overcome barriers
• U.S. health system could undermine EHR progress